Linux Event Logging for Enterprise-Class Systems

Summary of Features

  1. Event records are (draft) POSIX-compliant and consist of a fixed structure representing attributes of the event record, and a variable-length data buffer, containing the event data.
  2. Supports logging of textual strings and binary data and provides formatting templates for customized formatting and displaying of event records.
  3. All events are written to either the general event log, or to an optional private log, which has more restrictive read access.  Both logs are binary.
  4. Messages currently being logged with printk() and syslog(), and handled by the syslogd daemon,  will also (optionally) be logged into the new event log.  When written to the new log, the events will be written in a POSIX-compliant format and will contain additional information which syslogd does not log, including facility, severity, event type, user id, group id, process id, process group id, thread id, and (in SMP systems) Processor id.
  5. In addition to the existing printk() and syslog() functions, new and more flexible write functions are provided in both kernel and user-space.
  6. A facility registry, where providers of event records can register new facilities that are uniquely associated with their device driver, application program, etc.  The standard syslog facilities are also included in the facility registry.  The facility registry also provides facility-based logging control  (such as specifying where events with a particular facility are written, the general event log or the private event log).
  7. Users, or clients, that read events from the event log for problem determination, system administration, etc, are provided with 2 key capabilities:
    1. Ability to selectively read only events from the log that matches a user-specified filter.
    2. Ability to register with an event notification server to be notified when events matching a user-specified filter have been written to the event log and to also specify what actions to take (function, command, or shell script to execute) when notified.
  8. Extensive control and management of events and the event logs, which includes:
    1. Configurable event buffer size
    2. Detection of event buffer overrun conditions which causes events to be dropped  (a dropped-event count is logged)
    3. Optional discarding of duplicate events (a discarded-event count is logged)
    4. Optional screening and discarding of events which match System Admin specified criteria
    5. Utilities for
  9. Remote event forwarding feature that allows multiple hosts in the network to forward events via UDP or TCP to a centralized "event consolidation" host. Logging of events locally on the source hosts can optionally be disabled.
  10. In addition to local logging of events, and forwarding of events to a remote centralized host, a plug-in architecture is provided which allows alternative "event processors" to be easily added.